Actually, Not Much Better at All This Late Than Never

Friday, 21 September 2007

Let’s say I tell you I have in my pocket a frog that can recite the entire alphabet. You doubt it, and ask me to show you. I refuse. You ask me to show it to a trusted third party. I refuse.

A year later, I show you a frog who can recite the alphabet. That’s certainly something. But it doesn’t prove I had the frog in my pocket a year ago.

Which brings me to David Maynor, and his publication last week of a Wi-Fi driver vulnerability affecting Mac OS X 10.4.7 — a vulnerability more or less matching the one he and Johnny Ellch claimed to discover in summer 2006, but which they refused to prove or demonstrate, sparking a rather remarkable controversy.1

If you missed or forgot it, or, oddly enough simply wish to relive it, here are the major pieces I wrote on the matter:

“An Open Challenge to David Maynor and Jon Ellch” (wherein I offered to award Maynor and Ellch a brand-new MacBook if they could hijack it, factory-fresh out of the box, as they did in their demonstration video; the offer was good through 8 September 2006)

Here’s the nut of my criticism: A serious claim must be backed by proof of some sort. Maynor and Ellch’s claims last year were made with no proof other than a suspicious demonstration on video. That’s the root of every dispute and problem that followed. All I wanted to see was proof; it was more skepticism than criticism.

Compare and contrast with a story from this summer: the case of Charles Miller and Independent Security Evaluators. Miller and his colleagues discovered a serious vulnerability in MobileSafari on the iPhone shortly after it shipped, a vulnerability which they claimed could be exploited to take complete control of the iPhone system.

Here’s what Apple spokeswoman Lynn Fox — she who supposedly led an “orchestrated attack” against Maynor and Ellch — told The Times regarding Miller’s iPhone exploit:

“Apple takes security very seriously and has a great track record
of addressing potential vulnerabilities before they can affect
users. We’re looking into the report submitted by I.S.E. and
always welcome feedback on how to improve our security.”

No backlash. No criticism from the Mac media. No questions regarding the veracity of their claim. Why? Because he provided proof when he made the charge. That’s all there is to it.

Worth pointing out: Maynor’s paper describes an attack that leads to a kernel panic. He claims it can be exploited to instead inject code and, rather than crash, take over the machine — but this is not described in the paper. Maynor claims two more papers are forthcoming. ↩︎